Skip to content

dep: [security] bump octokit from 4.24.0 to 4.25.0

George Koltsov requested to merge dependabot-bundler-octokit-4.25.0 into main

Bumps octokit from 4.24.0 to 4.25.0. This update includes a security fix.

Vulnerabilities fixed

Octokit gem published with world-writable files

Impact

Versions 4.23.0 and 4.24.0 of the octokit gem were published containing world-writeable files.

Specifically, the gem was packed with files having their permissions set to -rw-rw-rw- (i.e. 0666) instead of rw-r--r-- (i.e. 0644). This means everyone who is not the owner (Group and Public) with access to the instance where this release had been installed could modify the world-writable files from this gem.

Malicious code already present and running on your machine, separate from this package, could modify the gem’s files and change its behavior during runtime.

Patches

Workarounds

Users can use the previous version of the gem v4.22.0. Alternatively, users can modify the file permissions manually until they are able to upgrade to the latest version.

Patched versions: 4.25.0 Affected versions: >= 4.23.0, < 4.25.0

Release notes

Sourced from octokit's releases.

v4.25.0

NOTE: This remediates A security advisory was published on versions 4.23.0 and 4.24.0 of this gem. You can read more about this in the published security advisory.

DX Improvements

CI Improvements

Updates all build scripts to be more durable and adds details on how to run a manual file integrity check by @​nickfloyd in octokit/octokit.rb#1446

Housekeeping

Full Changelog: https://github.com/octokit/octokit.rb/compare/v4.24.0...v4.25.0

Commits
  • a73386b Release 4.25.0
  • e3c8875 Release: v4.25.0
  • 1c8edec Merge pull request #1446 from octokit/updates-release-steps-ic
  • 121fafc adds the validator script
  • c9a2e52 reworks the scripts to be more durable / predictable / informational when exe...
  • 3da85b1 moves the check to a separate step
  • f499f69 Adds details on how to run a manual file integrity check
  • dd622a3 Merge pull request #1442 from octokit/base64
  • be67ec0 Merge branch '4-stable' into base64
  • c1f4c60 Merge pull request #1443 from octokit/rubygems-mfa
  • Additional commits viewable in compare view


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • @dependabot-bot rebase will rebase this MR
  • @dependabot-bot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Allure report

allure-report-publisher generated test report!

rspec: test report for 69e64cc8

+------------------------------------------------------------------+
|                        behaviors summary                         |
+-------------+--------+--------+---------+-------+-------+--------+
|             | passed | failed | skipped | flaky | total | result |
+-------------+--------+--------+---------+-------+-------+--------+
| controllers | 25     | 0      | 0       | 0     | 25    | ✅     |
| services    | 173    | 0      | 0       | 0     | 173   | ✅     |
| models      | 3      | 0      | 0       | 0     | 3     | ✅     |
| jobs        | 14     | 0      | 0       | 0     | 14    | ✅     |
| system      | 10     | 0      | 0       | 0     | 10    | ✅     |
| tasks       | 8      | 0      | 0       | 0     | 8     | ✅     |
+-------------+--------+--------+---------+-------+-------+--------+
| Total       | 233    | 0      | 0       | 0     | 233   | ✅     |
+-------------+--------+--------+---------+-------+-------+--------+
Edited by George Koltsov

Merge request reports

Loading